What would a person with your real name and your phone number do with that information that would in one way or another affect your life either positively or negatively? And do you consider disclosure of your name and phone number a violation of your privacy?

Well, this is a question that many still grapple with and really don’t see a risk in the disclosure of this information. Maybe the risk is not immediate, but the damage that can be done with this information, would live one asking themselves “What really happened?.” It is at this moment when you realize that information is power and one needs to protect it to the best of their capacity.

Its normally a dilemma for many on making a choice of when, where and which information to be shared out. Lets digest this further…

  • Ever been in a situation where your doing online purchase and you have to give your details before you shop for anything or your filling up an online form just to get a download that is free?
  • Ever gone to a building and on your way in you have to give your name, email, phone number, Identity number and signature in order to access the building and the book your recording all this information is not attended to at the security desk? and still after submitting your details at the gate you still have to give the same information at the reception area detailing where you are going to?
  • Ever found yourself in a situation where you get a call from a person claiming to be from a telecom company or a bank or the government agency and they start asking you details that are meant to be private?

To just mention a few, there are people out there determined to collect your data and in any way possible make money with your data.

Now they have a new way of getting more precise and accurate data on you. It is seen to be a confirmatory gesture, but in security, it gives out your data for FREE. Its through the M-PESA confirmation pop-up (M-PESA HAKIKISHA) that lasts for 25sec. On this pop up, you get to know actual names of the person the phone number belongs to. While running on the sim toolkit, it limits the queries to just 5, but on the Safaricom App, it is limitless, allowing fraudsters to guess phone number all day and get names as per the national ID.

This feature was implemented so as to ensure people send money to the right person by seeing a pop up that showed the registered user of the sim card. The sim card registration directive was given by the Communication Authority of Kenya in 2013 for all Telcos to register sim cards to individuals and the directive was gazetted in 2015 – Kenya_Information_and_Communications_Act__Registration_of_Sim-Cards__Regulations–  .

According to a GSMA white paper dated November 2013, It highlighted different pro’s and con’s of registering Sim cards and what nations should do in order to address the several issues that other countries faced. Read more. But also with the increasing number of sim-card hawking in the streets, there are even more privacy violation risk when sharing your information. Read more.

But the feature is now being misused and people are using that 25 second pop up to record names of the registered users of a specific sim card. With this information, they orchestrate a scam campaign targeting this contacts with an aim of defrauding them money or getting even more information from them.

A case example is where one gets a call from a random number and they start the conversation by;

Scammer: “Hello, this is <caller name> from <Telco name> customer care, I’m i talking to <Your real name>?”
Victim: Yes, this is him/her…
Scammer: Good day Sir/Madam, we have realized there is an issue with your line and we would like to confirm a few things from you.

If the victim falls prey to this call, they may end up getting more information than they had, and at times even get to defraud you using the mobile banking platform. At the end of the conversation – if you were not careful – is when you realize the number that called you is not legit.

Other scenarios is that you start getting so many marketing messages and spamming messages that you have not subscribed to. some of this messages include;


Promotional Messages









Some messages are more of extortion and play with the human emotions to persuade them to be send money.









The scam pyramid never ends with your information on the wrong hands. And with the recent wrangles of an inside scam happening at Safaricom, the possibilities of your data falling in the wrong hands have day to day increased. Safaricom sued for data breach.

With the new Data Protection Act 2018 in Kenya that was signed late 2019, It puts forward regulations on data protection and what different organizations would do in order to ensure data they hold is safe. The act highlights that personal identifiable data (PII) should be protected and breach of that attracts a fine to the organization. 

So the big question is, Is Safaricom M-Pesa 25 seconds pop-up a data privacy violation or a security feature?

It is important that the organizations protect what is termed as PII and respects individuals privacy, but in as much as organizations do their part, its also important that you as an individual be #CyberSmart #CyberAware. Do not live your information out there anyhow, use applications like True caller to identify caller IDs, but most of all, be your own cop. There is a thin line between privacy and security.

How to report Fraud to Safaricom


By Michael Felix


Follow @CyberSpeakLC on Twitter and LinkedIn



  1. I was once a victim of this con-men, i did not know their tactic until i lost 6k i had in my mpesa, up to date i feel bad since i was ignorant with my private, but since then i have know more and that is why i am happy when i see such blogs being shared.

  2. I never give my actual details to this mpesa agents because of such data violations, i once asked if they can sell the data on the book and they said yes… i was shocked…

  3. I have always wondered why i get messages from sender i don’t even recognize. I hate those SMSs and every time i have to keep opting out of something i never opted in. I am tired of this marketing strategies yet Safaricom is the most expensive telco we have…

  4. What can be the alternative for Safaricom to Hakikisha where the money is going?

    I believe its more of human awareness that is needed than a technological issue. Let safaricom just have the reversal option. At least the other end will get to know something about the criminal.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Zoom Bombing & Trolls: Virtual Conference Meetings

With the Corona virus pandemic (Covid-19) having limited us to work from home and social distancing viewed as the only way of flattening the curve and reducing the virus infections. We had no alternative but to turn to the Zoom remote conferencing platform to host the Top 50 women in cybersecurity Africa conference. But later […]

Let’s Talk Social Media Security for Business

According to a Cyveillance whitepaper, social media is a phenomenon unprecedented; opening new worlds of opportunities for industries globally with great potential and rewards. This notwithstanding, it also presents numerous challenges and risks. Often-times organizations are faced with a hard time establishing and enforcing effective social media strategies. Kenya, like many other countries, has embraced the ideals […]